07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

max time kernel144s
max time network148s
platformwindows10_x64
resourcewin10v20201028
submitted28-02-2021 07:08

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Filesize

78KB

Completed

28-02-2021 07:11

Score

10^/10

MD5

ec1f806b2ca57c3c03be303890c6fd65

SHA1

7d48e0cb19d60dfe2a3a04aef63c57482a024c97

SHA256

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

Defense Evasion

Discovery

Persistence

MetamorpherRAT

Description

Metamorpherrat is a hacking tool that has been around for a while since 2013.

Tags

trojan rat stealer metamorpherrat
Executes dropped EXE
tmp2D11.tmp.exe

Reported IOCs

pid process

708 tmp2D11.tmp.exe
Deletes itself
tmp2D11.tmp.exe

Reported IOCs

pid process

708 tmp2D11.tmp.exe
Uses the VBS compiler for execution

TTPs

Scripting

pid	process
708	tmp2D11.tmp.exe

pid	process
708	tmp2D11.tmp.exe

Adds Run key to start application

tmp2D11.tmp.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp2D11.tmp.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exetmp2D11.tmp.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Token: SeDebugPrivilege	708	tmp2D11.tmp.exe

Suspicious use of WriteProcessMemory

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exevbc.exe

Reported IOCs

description	pid	process	target process
PID 4684 wrote to memory of 992	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 4684 wrote to memory of 992	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 4684 wrote to memory of 992	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 992 wrote to memory of 3676	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 3676	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 3676	992	vbc.exe	cvtres.exe
PID 4684 wrote to memory of 708	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2D11.tmp.exe
PID 4684 wrote to memory of 708	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2D11.tmp.exe
PID 4684 wrote to memory of 708	4684	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2D11.tmp.exe

C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

"C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"

Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:4684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smhk2iid.cmdline"

Suspicious use of WriteProcessMemory

PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5573FE4A52444FFBB16DCE4035DE28F1.TMP"

PID:3676

C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:708

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\RES2E49.tmp
MD5
c09e203206ba845940382aeffc897118

SHA1
cf026b3f1981684991a4519565d34e7b42d887a4

SHA256
10e1262ee5aa72d5f21358764cfcdc9c5f35fc294805148715110e5adc48a1ad

SHA512
246128887850e6d55ce9789d1a78741a8b0d8798633ccebbe1119594abf8afcdb8d27bb93c7cd942300fe99175b20a3862bc731af38148f96af8993b229a1f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\smhk2iid.0.vb
MD5
f034b63bf17fa1090878e95a1032f40e

SHA1
54e1461012d708625730172a44a77147309929e9

SHA256
e72f4d04bae919618969bb1e91a0eeefcf250dc4da3691b37984753698580689

SHA512
331dd62c779b4ae69f4c4a180ed3233f182922c1cd3eb808c0fdd9c9e08d58fc8aec4ad6d26e799e1e7f6098ec5cc89c458e561ca3fb5ea9db455e67b9d69dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\smhk2iid.cmdline
MD5
54e1a05dfb5f8dbb935f1bba9e01db04

SHA1
7d144d1b3bf1e2070fe941374bedf90259c08289

SHA256
ab2a5f4ec5c29c03f0da65258c4a6f504381cc99e35226afa4b18ce5e83bdcba

SHA512
571eb5e790485984bc481fe5e9acfe62b0ae5408e2bf605a6fa719b01a2352b0ab2f4860d8cbe90895f222c3c537acddabdb2f06e807b9c4712f62d713d42d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe
MD5
8ff924d3f855014eacbeb1c2aec2b6e1

SHA1
3e785481ab8c5baf634b2b7a5dcb5b9a2b4cea5f

SHA256
661d9d5ee97a3cb8f55d29e78c154bfda41907ea11f70719bda3e1da11337ae8

SHA512
eeb7268c2c69e380ee30bbaa4f162da4fd9fd6662b2e66db5f738fba2b0c6dc9e998d2bc5a502c5b9573bd436b7abdd70440ce666d41b2e0f377722bfca695cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe
MD5
8ff924d3f855014eacbeb1c2aec2b6e1

SHA1
3e785481ab8c5baf634b2b7a5dcb5b9a2b4cea5f

SHA256
661d9d5ee97a3cb8f55d29e78c154bfda41907ea11f70719bda3e1da11337ae8

SHA512
eeb7268c2c69e380ee30bbaa4f162da4fd9fd6662b2e66db5f738fba2b0c6dc9e998d2bc5a502c5b9573bd436b7abdd70440ce666d41b2e0f377722bfca695cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5573FE4A52444FFBB16DCE4035DE28F1.TMP
MD5
2f454a42c9e2b76ecae9f901856bf246

SHA1
2c17770304e8104320d29d0fe768986309464e82

SHA256
1ecc8e3c958ebe0e654c1590c6947e4a0ce20ec97144c8f3292408b10ea4c5c9

SHA512
8d44d2eeaad937bd3ec4078a31ed7fd818d3f840dd9bffc7d2ec964207597e1a7c07fcb8a1e6123cda722357a2fce02b40892a41de44e456d0fcc113f34a786d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/708-15-0x0000000002F23000-0x0000000002F25000-memory.dmp

Download
memory/708-14-0x0000000002F20000-0x0000000002F21000-memory.dmp

Download
memory/708-12-0x0000000000000000-mapping.dmp

Download
memory/992-11-0x0000000002350000-0x0000000002351000-memory.dmp

Download
memory/992-3-0x0000000000000000-mapping.dmp

Download
memory/3676-7-0x0000000000000000-mapping.dmp

Download
memory/4684-2-0x0000000002720000-0x0000000002721000-memory.dmp

Download

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

TTPs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title